Choose Language

Mateusz Marchel

I'm doing PHP development since 2012. I'm passionate about new technologies and for couple years I like WordPress very much. If you think that I can help you, please send me an e-mail. I love new challenges!

Privately I have beautiful wife Edyta, I like good music and I play guitar in my free time.

Archives

Tag: Ubuntu

What else need your WordPress?

WordPress use some additional modules for Apache and PHP. Unfortunately I haven’t found many information about what is actually needed and for what purpose. There are some articles on this subject, but they’re quite old. In this section I’ll show you couple of WordPress features which don’t work in our environment and how to fix it.

Pretty URLs

So let’s begin with turning on preety URLs. This feature help us make our URLs more readable and SEO friendly. In our WordPress Dashboard find tab Settings->Permalinks. There let’s choose one of option we like and save settings. Let’s go back to home page and try to click on post title. Whoops…

In this case the problem is disabled rewrite module in Apache. Let’s enable it:

1

2

sudo a2enmod rewrite

sudo service apache2 restart

Much better now. 🙂

wp_mail

In previous part I wrote that our WordPress can’t send emails and I suggest installing plugin which allows us send messages through SMTP. Let’s install it then from dashboard. We can of course do it also using WP-CLI or upload files manually. Before we proceed to plugin installation, let’s install first another PHP module. It’s not necessary now because WordPress can work without it, but some plugins could not.

1

2

3

sudo apt-get install php5-curl

sudo php5enmod curl

sudo service php5-fpm restart

Okay, now we can install Easy WP SMTP (or any other with similar functionality). Configuration is very straightforward – just like configuration any e-mail client like Outlook or Thunderbird.

This plugin have feature which help us examine if everything is correct by sending test email. If you’re using another plugin which doesn’t have this kind of functionality you can for example change password for your user. WordPress should automatically send e-mail with information about password change to e-mail address attached to your account.

Images scaling and cropping

When we upload image to our WordPress media library, they are automatically processed and we can use different image sizes in our posts. Additionally we can use built-in image editor which help us crop image for example. So at least it should work that way but now if we try to put image into post we can use only full image size.

This is because we don’t have PHP module called imagick. Let’s install it then. We’ll also install module called GD. In fact for WordPress itself imagick is sufficient, but some plugins could use GD for image manipulation.

1

2

3

sudo apt-get install php5-gd php5-imagick

sudo php5enmod gd imagick

sudo service php5-fpm restart

Now if you upload new image it should be possible to use different image sizes and built-in image editor.

Additional modules

Some plugins are using module called mcrypt so we can install it by the way:

1

2

3

sudo apt-get install php5-mcrypt

sudo php5enmod mcrypt

sudo service php5-fpm restart

This set of extensions should be sufficient in most cases.

So we actually done. In last part I’ll summarize everything what we’ve done and make some additional comments.

Apache, PHP, MySQL

To launch WordPress we need to have some additional tools. First of all we need to install server which will pending requests from users browsers and sending them responses. WordPress is written in PHP so we also need to install interpreter of this language. Last but not least we need database server because our blog can’t work without it. WordPress is designed to work with MySQL so we need to install this one.

Apache installation

To install apache you need to SSH your instance and run following command:

sudo apt-get update && sudo apt-get install apache2

As I mention in previous part sudo apt-get update will fetch information about software available in Ubuntu repository. The && operator stands as: “if command on the left side will ran successfully, run command on the right side”. Command sudo apt-get install apache2 launch installation of package apache2.

After this operation when you type IP address of your instance to browser address bar, following page should appears. This indicates that our server works. 🙂

Before we continue it’s worth to look if apache is using mpm-events module instead of mpm-prefork. It’s about performance. My installation has this module installed and activated by default. You can check this with command which lists all loaded modules:

To get this installation to work with apache we should install another apache module. Because of license incompatibilities this module is available in multiverse repository which is disabled by default so we need to enable it. About differences between types of repositories you can read here. Please open file /etc/apt/sources.list in your favorite text editor (I will use nano).

sudo nano /etc/apt/sources.list

We should uncomment appropriate lines (URLs can be different for different regions):

Now we can run command

sudo apt-get update
sudo apt-get install libapache2-mod-fastcgi

After installation module should be enabled automatically and apache should be restarted.

If that is not true in your case, you can anytime enable module and restart server yourself running following commands:

sudo a2enmod fastcgi
sudo service apache2 restart

CAUTION!If you have had installed mod_php previously you should turn it off. You can do this similarly:

sudo a2dismod php5
sudo service apache2 restart

Now we’ll configure apache a bit. I assume that only one site will be running on our instance. Configuration provided below is very simple then. Let’s enable another two modules which we’ll need:

sudo a2enmod alias actions
sudo service apache2 restart

Now we should create configuration file which tells apache what should be done with PHP files. All of apache configuration files are stored in /etc/apache2/conf-available directory so we put our file here also. I will name it php5-fpm.conf. We can do this for example with nano:

Couple words of explanation:IfModule checks if module is active and if yes performs instructions in block.AddHandler tells apache which action it should take for described files – in this case for files with php extension, action php5-fcgi will be firedAction defines program to which request will be passed when action is fired – in this case for action php5-fcgi request will be routed to /php5-fcgi pathAlias is used to map paths – in this case we define that path /php5-fcgi from previous line is actually /usr/lib/cgi-bin/php5-fcgiFastCgiExternalServer indicates how to handle file which we catch with the above lines – in this case it will be run by server pending on unix socket on /var/run/php5-fpm.sock path. This path is defined in php-fpm configuration file. You can find it here: /etc/php5/fpm/pool.d/www.conf. Option -pass-header gives us ability to pass to the script http headers which won’t be passed by default. For example Authorization Header.Directory defines path in which following settings will apply.Require all granted gives permission to read localization by all – we need to add this line because otherwise we’ll see “Access denied” instead of results of any PHP script.

How to make your instance more secure?

This post is obviously not complete security guide and it’s not meant to be. However I want to talk about some basics which I think are minimum in subject of securing our Linux. I must emphasize that you have complete control of your instance and it’s your responsibility to take care about security of your data and your site users. I definitely encourage to constantly learn about server administration.

Updates

One of the most important things are regular updates of the system and other installed software. Unfortunately vulnerabilities happened everywhere (famous example of vulnerability in OpenSSL library from 2014) so we should install every security updates as fast as possible. Before we continue let’s update our system.

The first step will be following command:

sudo apt-get update

In this way we ensure that our system “knows” about all the updates available but nothing will be installed yet.

Next we can do this:

sudo apt-get upgrade

or this:

sudo apt-get dist-upgrade

There is significant difference between those two. In first case only packages that were already installed will be updated. However common practice is that one package depends on others. If new version of installed software depends on package which was not required previously and this package is not available in system, update will fail. All information about the problems will be printed to the console.

In second case dependencies are resolved automatically and some packages can be deleted or new packages can be installed. Now it really doesn’t matter because we just launch our instance and we don’t using it for any purpose yet. However when we start web server, database and our site will be made public, we won’t want something stop working because of update. It doesn’t mean of course that we shouldn’t update our system. It only means that we always need to know what we are doing and why. We probably should consider launching stage environment and check any modifications there first. In AWS ecosystem it’s really easy to duplicate EC2 instance.

Some of you probably notice that though installation of all updates, OpenSSL library which I mention remains in version 1.0.1f, which is theoretically vulnerable to HeartBleed attack. In fact it’s not true. This version was patched by Ubuntu maintainers the same day which vulnerability was disclosed. More information here.

Now we should reboot our instance.

sudo reboot

When you run this command your connection will be interrupted. Wait minute or two and try to connect again.

Change the default SSH port

It’s worth to consider change the default SSH port from 22 to some other number grater than 1023. Many bots which are used to automatic attacks search for open SSH port, but they limit themselves to default port. It of course won’t stop all intrusion attempts but can help reduce the number of them. We can change port in SSH configuration file. We must edit it as root so we run command:

sudo nano /etc/ssh/sshd_config

Of course you can use your favorite text editor instead of nano. 🙂
Lets find following line in file

Our current connection should not be interrupted but from now on every new connection to our instance must be on port which we put to config file. As you remember we define some security rules in our EC2 dashboard so we need to go back there and open up this port.

In group “Network & Security” we need to find tab called “Security Groups” and then right click group which our instance belongs to. From menu choose “Edit inbound rules”. Now in place of SSH we select “Custom TCP Rule” and enter the new port number. Remember to save the changes.

Now we should be able to start new connection. If you’re using console you should add “-p” followed by port number. In my case it will be:

ssh -i ~/.ssh/test1-keys.pem ubuntu@52.29.70.252 -p 56321

If you’re connecting by putty, find on list of saved sessions your instance and load settings. Now you should change port number and save your session again.

Summary

After this part our system is up to date and SSH works on different than default port number. As I mention it’s not guarantee that you are 100% secure. I recommend that you read about some tools which can help you in process of hardening your system. In next part we’ll install software which is essential to run our virtual machine as web server.